Operating Systems & Cyber Essentials: Ensuring Compliance

Written by Louise Ralston
Jun 15, 2026 - 14 minute read

Operating Systems are the foundation of any device in your organisation, and need to be carefully considered as part of your Cyber Essentials compliance.

New call-to-action

Last Updated June 2026

Getting the preparation right for Cyber Essentials certification goes a long way to increasing the chances of success.

At Cyber Tec, our experience has shown that operating systems are continually overlooked during this process and can easily create some big headaches further down the line.

The operating system is the foundation layer of any device.

It manages hardware, runs applications, controls user access, handles updates and acts as an integral component for security. If any operating system is unsupported, out of date or unmanaged, it can quickly leave your organisation exposed to known vulnerabilities that attackers understand how to exploit.

This is not a simple IT hygiene issue.

Companies need to ask four basic questions of their operating systems:

  • What is installed?

  • Is it supported?

  • Is it updated?

  • Can they evidence all this clearly?

The answers to each of these create a stable framework to build upon as part of a cohesive Cyber Essentials strategy.

Cyber Essentials & Operating Systems

Cyber Essentials treats operating systems as part of your overall software estate. The NCSC Cyber Essentials requirements define software as including operating systems, commercial applications, scripts, libraries, network software and firmware.

This means that the following operating systems are affected when in use for in-scope devices.

  • Windows OS
  • macOS
  • Linux
  • iOS
  • Android
  • ChromeOS

The practical requirement here is visibility.

Maintaining an inventory that shows devices, operating system versions, vendor support status, update status and any unsupported systems that need remediation or segregation is the only way to keep that visibility auditable and up to date.

 

What Does "Support" for Operating Systems Mean?

A supported operating system is one where the vendor still provides security updates or vulnerability fixes for the specific version in use.

An unsupported operating system may still turn on, run applications and appear normal to users. However, if it no longer receives security updates then new vulnerabilities may remain unprotected. That creates both a security risk and a potential Cyber Essentials compliance issue.

Organisations should therefore maintain a clear record of operating system versions, support status and known end-of-life dates across all in-scope devices.

 

Common Operating systems: Cyber Essentials Support Considerations

Operating system

Common use

What to check for Cyber Essentials

Windows

Laptops, desktops and servers

Exact version, edition, support status, patching records and Windows 10 transition plan

macOS

Macs and MacBooks

Supported macOS version and current security updates

Linux

Servers, workstations and appliances

Supported distribution/version and patching evidence

iOS / iPadOS

iPhones and iPads

Whether devices access organisational data or services, and whether updates are enforced

Android

Phones, tablets and rugged devices

Manufacturer/model support, as update availability varies across devices

ChromeOS

Chromebooks

Auto Update Expiration date and whether updates are still available

 

Which Devices and Operating Systems are in scope?

Your IT infrastructure is the ultimate target for cyber criminals.

Therefore, the key test to apply for in-scope questions is not simply who owns the device, but whether the device can access your company data or services.

A company laptop, a remote worker’s desktop and a personally owned tablet with work apps installed may all need to be considered. It is their capability to connect with an organisation’s data that makes them potentially vulnerable, and they must be treated as in-scope if they meet that criteria.

BYOD and Personal Devices

The issue of BYOD (Bring Your Own Device) is another common source of confusion in Cyber Essentials assessments. Every organisation should develop and maintain clear and actionable BYOD rules to clarify and monitor:

  • Which personal devices are permitted

  • What services they can access

  • Whether the device runs a supported operating system

  • Whether updates are enabled

It may also be advisable to establish whether the device requires controls such as screen locking, encryption, mobile device management or conditional access.

Real-World Examples:

  • A personal phone used only for MFA prompts may be out of scope as it acts only as an authentication device.

  • If that same phone is used to access work email, files or cloud applications such as Teams or SharePoint it is far more likely to fall within scope.

 

The 14-day Update Requirement

Cyber Essentials makes it clear that organisations must manage operating system updates properly. The official NCSC requirements state that all operating systems must be updated, including vulnerability fixes, within 14 days of release, where:

  • The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’

  • There are no details of the level of vulnerabilities that the update fixes provided by the vendor

As ever, the detail and documentation is key.

In practice, businesses need to demonstrate a reliable patch management process for operating systems that can:

  • Identify relevant updates

  • Deploy them quickly

  • Produce evidence that every in-scope device is being kept up to date

Handling Legacy and Unsupported Systems

Some organisations have legacy systems that can’t be upgraded easily such as:

  • Specialist software

  • Operational technology

  • Lab systems, manufacturing environments

  • Old servers or applications tied to older operating systems

These unsupported systems need a practical technical response with clear evidence. Risk acceptance alone is not enough. Identifying them early is the most appropriate course of action before deciding whether to:

  • Replace devices that can’t support a current OS
  • Migrate away from unsupported platforms
  • Restrict access to essential users only

All these options can be modelled and investigated well before certification is assessed to understand any business impact and resource efficiency.

The Windows 10 End of Life Issue

Windows 10 is now a live compliance issue for many organisations as support officially ended in October 2025. Businesses still using Windows 10 should review affected devices and decide whether to upgrade, replace older hardware or use Microsoft’s Extended Security Updates route where appropriate.

For Cyber Essentials, this may mean removing Windows 10 devices from organisational use and segregating systems that cannot be upgraded. 

As ever, documenting a full remediation plan before assessment is the only way to ensure you have identified the issue and recognised the requirement for change.

Common Myths for Operating Systems and Cyber Essentials

Tackling some of the most popular misconceptions is a rapid and simple way to stress test your Cyber Essentials preparation.

Here is a collection of what the Cyber Tec team hears most often:

“The OS is fine if the device still works”

“Automatic updates prove compliance”

“Our IT provider handles updates, so we do not need evidence”

“BYOD is always out of scope”

“A personal phone used only for MFA is basically a work device”

“Our ChromeOS devices are always compliant because they update automatically”

“Legacy systems can stay if the business accepts the risk”

The answer in each case is the same:

Cyber Essentials looks for supported, updated and properly managed systems, backed by evidence.

 

Evidence Checklist

This evidence means that organisations should be ready to provide:

  • An up-to-date asset inventory

  • Operating system names and versions

  • Support status for each OS version

  • Patch and update policies

  • Patch deployment or MDM reports

  • BYOD policy and device access rules

  • Records of unsupported or legacy systems

  • Remediation or segregation evidence where relevant

 

How Cyber Tec can Help

Cyber Tec has over 30 years of experience helping businesses with their cybersecurity. We can help with the full Cyber Essentials certification journey through:

  • Assessing your current environments

  • Identifying unsupported operating systems on your business' devices

  • Reviewing update processes

  • Preparing evidence

  • Remediating issues before assessment

Contact the team today to start your cyber resilience journey.

To discuss how Cyber Tec can support your organisation through Cyber Essentials certification and ongoing compliance, contact us today.

 

Topics: IT, Cyber Essentials, Cyber Essentials Plus, Business Security, Cyber Attack, Cyber Security

author

More by Louise Ralston

Related articles
Understanding Cyber Essentials Certification in 2026

Cyber Essentials is UK Government-backed certification that is rapidly becoming the new normal for baseline cyber security for UK businesses.

What is Cyber Essentials and Why Does It Matter?

The only government-backed cyber security standard in the UK is worth explaining, so let's get into it: What is Cyber Essentials?

Is your IT Infrastructure Cyber Essentials Ready?

Learn what “Cyber Essentials ready” really means, and how to strengthen your IT infrastructure to meet the latest security requirements.

Copyright © 2026 Cyber Tec Security
contact@cybertecsecurity.com

Cyber Tec Security is a company registered in Jersey. Registered number: 144690.
Registered office: Kensington Chambers, 46/50 Kensington Place, St Helier, Jersey JE1 1ET